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1. Introduction 



An important problem in cryptography is the so caUed Decision DifHe-Hehman problem (henceforth abbrevi- 
ated DDH). The problem is to distinguish triples of the form 5**, (?°^) from arbitrary triples from a cyclic 
group G — (g). It turns out that for (cyclic subgroups of) the group of m-torsion points on an elliptic curve 
over a finite field, the DDH problem admits an efficient solution if there exists a suitable endomorphism 
called a distortion map (which can be efficiently computed) on the elliptic curve. 

Suppose m is relatively prime to the characteristic of a finite field Fg, then the group of m-torsion points on 
an elliptic curve E/¥q, denoted i?[m], is isomorphic to (Z/mZ) x (Z/mZ). Fix an elliptic curve E/¥q and a 
prime £ that is not the characteristic of Fg. Let P and Q generate the group E[£]. A distortion map on E is 
an endomorphism <j) oi E such that <j>{P) ^ (P). A distortion map can be used to solve the DDH problem on 
the group (P) as follows: Given a triple R, S, T of points belonging to the group generated by P, we check 
whether ei{R, (j){S)) = e^(P, 4'{T)), where is the Weil pairing on the ^-torsion points. It follows from well 
known properties of the Weil pairing that this check succeeds if and only if P = aP, S = bP and T = abP. 
Under the assumptions that P and Q are both defined over Fgi- , where k is not large (say, bounded by a fixed 
polynomial in log(g)), and that can be computed in polynomial time, the DDH problem can be solved in 
polynomial time using this idea. If P and Q are not eigenvectors for the Frobcnius map, then in many cases 
one can use the trace map as a distortion map (see |GR04p . For this reason, we will concentrate only on 
the subgroups that are Frobenius eigenspaces. 

It is known that distortion maps exist on supersingular elliptic curves r iVernillGROlj ). and that distort ion 
maps that do not commute with the Frobenius do not exist on ordinary elliptic curves (see jVer01| or 
|Ver04| Theorem 6). The latter implies that distortion maps do not exist for ordinary elliptic curves with 
embedding degree > 1. The embedding degree, (say) k, is the order of q in the group (Z/^Z)*. A theorem of 
Balasubramanian and Koblitz f ,BK9 8 Theorem 1) says that if P(Fg) contains an ^-torsion point and fc > 1, 
then E[£] C ¥gk . Thus, the only remaining cases where the existence of Distortion maps is not known are the 
cases when the embedding degree A: is 1. If the embedding degree is 1 and P(Fg) contains an ^-torsion point, 
then there are two possibilities: either E[£]{¥q) is cyclic or E[£] C £'(Fg). In the former situation there are 
no distortion maps (by |Ver04| Theorem 6). However, the Tate pairing can be used to solve DDH efficiently 
in this case (see the comments in | GR04| following Remark 2.2). Thus, the only case in which the question 
of the existence of a distortion map remains open is when E[£] C £^(Fg). In this article we characterize the 
existence of distortion maps for this case. 

2. The Proof 

Let fc be a finite field, Fg D fc and E/k be an ordinary elliptic curve. Suppose £ is a prime such that E[£] C Fg 
but no point of exact order £ is defined over a smaller field. 

To study the existence of distortion maps, we study the reduction of the ring End(P) modulo £. Our 
principal tool is the following observation: If a g End(i<^) has field polynomial f{x) e Z[a;], then / mod £ is 
the characteristic equation of the action of a on E[£]. 

Let TT be the q-th power Frobenius endomorphism on E and let (f>^ — tcf) + q — be its characteristic equation. 
We know that t = 2 mod £ and q = l mod £ as the full ^-torsion is defined over Fg. 
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Let O = End(£'), K = O (g) Q and Ok the maximal order in K. We have the inclusions Z[tt] C O C Ok- 
Since — Aq — mod £ we have that £ divides the product [O : Z[tt]][Ok ■ 0]Disc{K). The existence of 
distortion maps splits into cases depending on whether £\[Ok ■ O] or £\Disc{K). Indeed, if £\[Ok ■ O] there 
are no distortion maps, since the reduction modulo £ of every endomorphism is just multiplication by scalar. 

In the following we assume that £ / [Ok ■ O] so that the conductor of O is prime to £. Under this assumption 
we have that the residue class rings 

OK/i£) = 0/i£). 

Suppose that £J( Disc (if) and that £ is inert in Ok, then 0/{£) = ¥12. Let a S O be an endomorphism 
such that a mod {£) does not lie in F^. Then the action of a on E[£] is irreducible since its characteristic 
equation is irreducible over F^. Now a gives us a distortion map on E[£] since no subgroup of order £ of E[£] 
is stabilized by a. 

Now if £Jl Disc(if) and £ is split in Ok, then 0/{£) ¥([X]/{X -a){X -b) = {Z/£Zf (where a ^ b). The 
action of any a G Ok, that corresponds to the image of X in F()[X]/ {X — a){X — h) under the isomorphism, 

is conjugate to ( ^ ^ 1 . Thus, distortion maps exist for all but two of the subgroups of E[£]. 

Suppose that ^|Disc(ii') so that £ is ramified in Ok, then O /{£) = F£[X]/(X — a)^. Consider the map a G O 
that corresponds to the image of X in the ring F£[X]/(X — a)^. The action of a on E[£] is conjugate to 

. Note that (3^0, for if /? = then 0/{£)'^ Z/«, but we know that O is rank 2 over Z/« since 

£ is ramified in Ok and does not divide the conductor of O. Thus, distortion maps exist for all but one 
subgroup of E[£]. 

In summary, we have: 

Theorem 2.1. Let k be a finite field, F^ D fc and E /k he an ordinary elliptic curve whose endomorphism 
ring is O, an order in an imaginary quadratic field O. Suppose £ is a prime such that E[£] C ¥q but no point 
of exact order £ is defined over a smaller field. 



(1) If £ \ [Ok ■ O] there are no distortion maps. 

(2) If£j( [Ok ■■ Ci]Disc(i4:) and 

(a) £ is inert in Ok, then there are distortion maps for every (order £) subgroup of E[£]; 

(b) £ is split in Ok, then all but two subgroups of E[£] have distortion maps. 

(3) If £ }{ [Ok ■ O] and £ | Disc(-fi') so that £ is ramified in Ok, then all (except one) subgroups of E[£] 
have distortion maps. 

3. Examples 

In this section, we give examples to illustrate that all the cases in Theorem O do occur. 

Example 3.1. Consider the elliptic curve E : — + x over Q. E has complex multiplication by 
and has good reduction at all odd primes. Let p he a prime such that p = 1 mod 4, E be the reduction 
of E modulo p, and let = -1 mod p. Then E[2] C E{¥p) and £^[2] is {O^,, (0, 0), (z, 0), (-^, 0)} where 
0^; is the identity element. The map [i] is an endomorphism that sends {x,y) 1— > {—x,iy). It is easy to see 
that the map [i] preserves the subgroup ((0,0)) and interchanges the remaining two subgroups, of order 2, 
of E[2]. Note, that Deuring's reduction theorem tells us that End(i?) = Z[i]. Furthermore, in this case the 
subring Z[tt] generated by the Frobenius is usually a smaller ring. Indeed, if t is the trace of Frobenius and 
t'^ — Ap = — 4&^, then the conductor of the order Z[7r] is b. Now b is at least 2, since t = 2 mod 4, so {t/2) 
is odd and we must have p = {t/2)'^ + b^. Thus, case (3) of Theorem 12 . II applies and matches with what we 
observe for the 2-torsion. 

Example 3.2. (Suggested by anonymous reviewer). Let E be the curve over F701 given by the equation 
y2 = a;3 _ 35^, gg^ j,^^^ End{E) = Z[i±^] which is the maximal order in Q(^/^). The order Z[tt] 
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has conductor 10 in End(£'). The 5-torsion is F701 rational, and moreover, 5 is inert in End(£^). Theorem 
10 (2a) shows that every subgroup of E[5] admits a distortion map. Indeed, the map corresponding to 
multiplication by a = is given by (IHnni Chapter II, Proposition 2.3.1 (iii)) 

Let us check this for the group generated by the 5-torsion point P (with afRne coordinates) P — (224,31). 
Since a = 386 e F701, this tells us that [a](P) = (173, 194). One checks that the Weil pairing e^(P, {a\{P)) = 
464 7^ 1. Thus, [a] works as a distortion map for the group generated by P . 

Now the 5-torsion of E is generated by P and the point Q = (573,450). A similar computation shows that 
[a]((5) — (463,495). Also, e5(Q, \a\Q) = 89 7^ 1. Again, this shows that [a] works as a distortion map. 

Given these calculations it is not hard to find the matrix of the action of [a] on i?[5] relative to the basis 

^0 -1^ 

The characteristic polynomial of this matrix is irreducible modulo 5 and thus the action on £^[5] is irreducible. 

Example 3.3. One can use the elliptic curve E from Example l3.2l to illustrate case (2b) of Theorem l2.1l This 
time we look at £'[2] (also contained in F701) which is generated by the points P = (319, 0) and Q — (389, 0). 
The prime 2 splits completely in End(i?). The proof of Theorem l2.1l tells us that the characteristic polynomial 
of the action of the endomorphism [a] has two distinct roots and would work as a distortion map for all but 
two subgroups of i?[2]. Now the minimal polynomial a is — x -I- 2 and modulo 2 this splits as x(x -\- 1). 
Thus the action of [a] on E\2\ will have two eigenvectors, with eigenvalues and 1 respectively. It is easy to 
check given the formula for \a\ that indeed [a](P) = 0^; and [a]((5) — Q- 

Example 3.4. In this example we illustrate that case (1) of Theorem 12.11 also occurs. Consider the curve 
iJ/Q given by the Weierstrass equation 

2 c, 3375 6750 

= X H . 

^ 121 121 

The j-invariant of E is 2''3'^5'^ and the conductor of E is 108900. E has CM by the order of conductor 2 in 
Q(^A3). Thus End(£') = Z + 20k where O/^- = Z + i(l + E has good reduction at the prime 

13 and one sees that the reduction E has Fi3-rational 2-torsion. Now End(£^) ^ End(i?) by the Deuring 
reduction theorem f |Lan87j Chapter 13 §4, Theorem 12), but End(i?) mod 2 ^ (Z/2Z) and so there are no 
distortion maps. 
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